1. Technical Field
Embodiments of the invention relate to the field of network security, and more specifically to auto discovery of an authenticator for web-based network login.
2. Copyright Notice/Permission
A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. The following notice applies to the software and data as described below and in the drawings hereto: Copyright© 2001, Extreme Networks, Inc., All Rights Reserved.
3. Background Information and Description of Related Art
In recent history, the architecture of computer network topologies has changed dramatically. In the past, computer networks were mainly private networks contained within a private office. Now, however, an entire building with multiple offices of different companies may make up a single local area network (LAN), a user may use a laptop to access a wireless LAN in a public place, or a student may plug a laptop into network ports in various classrooms. Situations like these open a network to potential cyber-attacks that may compromise the security of network resources and also prevent access by legitimate users. As a consequence, network resource providers are under enormous pressure to provide bulletproof security and foolproof access control, so that no matter what type of method a user uses to access the network, whether it be via a modem, network interface card (NIC), or by some other means, private information and network resources remain secure. Security mechanisms in the devices at the network edge, such as LAN switches, are particularly critical because they grant access to the rest of the network.
The difficulties associated with securing a network have existed ever since computer networks were first introduced. Over the years a variety of techniques have been employed to provide network security. Generally most of these security techniques take place between network nodes (a node is an end point for data transmissions, such as a computer workstation, network server, CD-ROM jukebox, or some other such device) and not between connection points (a connection point is an intermediate point in the network, such as a router, hub, or a switch). Some of those methods include encryption techniques to prevent unauthorized access to a network resource, such as a network server or network printer. For example, techniques like private key and public key encryption codes transmit encrypted data between individual machines.
A common network security technique is the login procedure, which occurs when a network node attaches to a network resource, such as when a user logs into a server. Typically, the user is prompted for authentication information, such as a username and password or an identification card. Once the user inputs the authentication information, an authentication system compares the user's input to user authentication and authorization information stored in a database. If the user's input is valid, the user is granted access to certain administrator-defined network resources.
An example of an authentication system employed in login procedures is the Novell Directory Services database or the Remote Authentication Dial-In User Service (RADIUS). The RADIUS service is actually a protocol for carrying authentication, authorization, and configuration information between an access server and an authentication server. The RADIUS protocol has been documented as an Internet standard protocol, the most recent version of which is Request For Comment (RFC) 2865, Rigney, C., Willens, Rubens, A., Simpson, W., RADIUS, June 2000.
A login procedure using the RADIUS protocol secures networks against unauthorized access using a centralized authentication server (“the RADIUS server”) in communication with an access server (“the RADIUS client”) using the RADIUS protocols. All of the user information necessary for authenticating users seeking access to the network and various network services resides on the RADIUS server. A network access server operates as a RADIUS client by sending authentication requests to the RADIUS server using the client protocols. In response the RADIUS server either accepts, rejects, or challenges the authentication request, and the RADIUS client acts on that response to permit or deny access to the network and various network services, or to request more information from the user.
A drawback to prior art login procedures is that a user who plugs a computer into a network port has immediate access to the network, although they may not necessarily have access to any of the resources on the network (i.e. they have not yet successfully completed the login procedure).
Other prior art network security techniques have been implemented at a connection point (i.e. at the LAN switch level) to prevent intruder and hacker attacks. For example, algorithms and techniques have been designed and implemented in LAN switches to prohibit cyber-attacks, such as access control lists (ACLs), Denial of Service (DoS) attack protection as documented in Request for Comments (RFC) 2267, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, January 1998, and Synchronize (SYN) attack protection.
For example, access lists were developed to combat cyber-attacks on the LAN switch by providing an administrator-controlled list of Internet Protocol (IP) addresses or media access control (MAC) addresses that were authorized to access the network. DoS and SYN attack protections are based on similar concepts. For example, when a hacker overloads a targeted connection point such as a router or a LAN switch with incoming data packets, the router or LAN switch is prevented from accepting new legitimate requests for services, resulting in a denial of service. When the targeted device is behind a firewall, an access list protects against such attacks by explicitly restricting inbound access to the device to a select few IP addresses.
A major drawback to access lists, DoS, and SYN attack protections is that access to the network is machine- or hardware-based instead of user-based. Therefore, an unauthorized user who has access to an authorized machine can still gain access to the network, completely bypassing the intended security protection. Moreover, publicly accessed network resources, e.g. a web server not protected by a firewall, are more susceptible since access to a public resource cannot usually be restricted to certain machines or IP addresses. Finally, most of the security measures currently in place to defend against such attacks are proprietary and therefore expensive to implement.